Introduction
We’ve all been to the doctor before. Maybe you make frequent trips for a chronic illness, or do regular checkups every few year as needed. Regardless, every time you pass along your personal info like your name, medical background and credit card info at the doctor’s office, you give them what’s known as protected health information. In the mid-1990s, HIPAA expanded its protections to include digital records.
Now, maintaining private communications requires a lot more regulation. Even prescriptions can be acquired through video-chat these days! To keep all that information private, health professionals have had to accept a few addendums to HIPAA since its inception in 1996.
An Overview of Your PHI in HIPAA
The Health Insurance Portability and Accountability Act is one of the most well-known privacy statutes in America. These regulations keep your health information safe from disclosure and improper access, completely secret without your express written permission. Fines for violating HIPAA can range up to $50K per incident and $1.5M per year.
Enforcement is overseen by the U.S. Department of Health & Human Services. They mean business! In their words:
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
https://www.hhs.gov/answers/hipaa/what-is-phi/index.html
Your PHI is a type of personally identifiable information (PII), which is an acronym you’re very likely to come across more as your security awareness grows.
What This Means for Your PHI
Knowing your privacy rights helps you enforce these boundaries more comfortably. The better you understand your PHI, the better you can manage it. Even if your healthcare providers do their very best, though, is your data really protected on their systems?
In the first half of 2022, there were over 19M health records exposed in more than 300 data breaches. Interestingly, many of originated from ineffective third-party risk management rather than insufficient systems within the affected healthcare providers. Essentially, threat actors realized it was very difficult to break directly into hospitals so they started targeting their supply chains instead.
Unfortunately, healthcare providers are not insulated businesses. They work with medical device manufacturers, business associates like lawyers, and myriad suppliers that must sometimes access the healthcare provider’s internal network. Any of them could acquire a malware infection that spreads when they log onto the local WiFi, or phished for their account credentials so the hacker can impersonate the third party associate. You see how quickly that could spell trouble for the healthcare provider – and all their patients!
Conclusion
So with all this information in mind, what can you do to protect your PHI? It’s not as though you can decide to stop seeing a doctor when you get sick! You can, however, opt for fewer people to view and convey your PHI. If you receive notification from a provider that your data was (even potentially) exposed in a breach, you should also take steps to re-secure your accounts, use Dark Web Monitoring and credit reporting monitoring services to make sure no theft has taken place, and perform any other protective measures recommended by your security team.
Thankfully, healthcare providers are required to report big breaches within 60 days of their discovery, so it’s not as though you won’t know an incident has taken place. Encrypt your digital communications, use complex passwords, set up multi-factor authentication on your accounts and set strict permissions to help keep your protected health information secure as much as you can guarantee on your end. If you can, you might dig into your various healthcare providers to make more informed decisions about who you trust to handle PHI.
Protect your data on a daily basis with strong cybersecurity awareness, and your PHI will be better protected too!
References
- https://www.hhs.gov/answers/hipaa/what-is-phi/index.html
- https://www.n-able.com/blog/what-pii-and-phi-and-how-do-you-secure-them
- https://healthitsecurity.com/features/biggest-healthcare-data-breaches-reported-this-year-so-far
- https://www.aha.org/aha-center-health-innovation-market-scan/2022-10-25-third-party-cyber-risk-skyrockets-health-systems
- https://www.hipaa-associates.org/cybersecurity-to-protect-phi/